/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = (ExtendedGSSContext)m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
public static void main(String[] args) throws Exception { // We don't care about clock difference new FileOutputStream("krb5.conf").write( "[libdefaults]\nclockskew=999999999".getBytes()); System.setProperty("java.security.krb5.conf", "krb5.conf"); Config.refresh(); Subject subj = new Subject(); KerberosPrincipal kp = new KerberosPrincipal(princ); KerberosKey kk = new KerberosKey( kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0); subj.getPrincipals().add(kp); subj.getPrivateCredentials().add(kk); Subject.doAs(subj, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSManager man = GSSManager.getInstance(); GSSContext ctxt = man.createContext(man.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY)); return ctxt.acceptSecContext(token, 0, token.length); } }); }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
protected byte[] generateGSSToken( final byte[] input, final Oid oid ) throws GSSException { byte[] token = input; if (token == null) { token = new byte[0]; } GSSManager manager = getManager(); GSSName serverName = manager.createName(servicePrincipalName, servicePrincipalOid); GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); // Get client to login if not already done return gssClient.negotiate(gssContext, token); }
public static String validateServiceTicket(Subject subject, final byte[] serviceTicket) throws GSSException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, PrivilegedActionException { // Kerberos version 5 OID Oid krb5Oid = KerberosUtils.getOidInstance("GSS_KRB5_MECH_OID"); // Accept the context and return the client principal name. return Subject.doAs(subject, new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { String clientName = null; // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential) null); context.acceptSecContext(serviceTicket, 0, serviceTicket.length); clientName = context.getSrcName().toString(); return clientName; } }); }
public static void main(String[] args) throws Exception { new OneKDC(null).writeJAASConf(); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); GSSManager gm = GSSManager.getInstance(); GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT); int time = cred.getRemainingLifetime(); int time2 = cred.getRemainingInitLifetime(null); // The test KDC issues a TGT with a default lifetime of 11 hours int elevenhrs = 11*3600; if (time > elevenhrs+60 || time < elevenhrs-60) { throw new Exception("getRemainingLifetime returns wrong value."); } if (time2 > elevenhrs+60 || time2 < elevenhrs-60) { throw new Exception("getRemainingInitLifetime returns wrong value."); } }
public static void main(String[] args) throws Exception { new OneKDC(null).writeJAASConf(); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); GSSManager gm = GSSManager.getInstance(); GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT); int time = cred.getRemainingLifetime(); int time2 = cred.getRemainingInitLifetime(null); // The test KDC issues a TGT with a default lifetime of 11 hours int elevenhrs = KDC.DEFAULT_LIFETIME; if (time > elevenhrs+60 || time < elevenhrs-60) { throw new Exception("getRemainingLifetime returns wrong value."); } if (time2 > elevenhrs+60 || time2 < elevenhrs-60) { throw new Exception("getRemainingInitLifetime returns wrong value."); } }
/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = m.createContext(me.cred); return null; } }, null); }
/** * @since 4.4 */ protected byte[] generateGSSToken( final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException { byte[] inputBuff = input; if (inputBuff == null) { inputBuff = new byte[0]; } final GSSManager manager = getManager(); final GSSName serverName = manager.createName(service + "@" + authServer, GSSName.NT_HOSTBASED_SERVICE); final GSSCredential gssCredential; if (credentials instanceof KerberosCredentials) { gssCredential = ((KerberosCredentials) credentials).getGSSCredential(); } else { gssCredential = null; } final GSSContext gssContext = manager.createContext( serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); return gssContext.initSecContext(inputBuff, 0, inputBuff.length); }
private String acceptSecurityContext( final byte[] serviceTicket) throws GSSException { krb5Oid = new Oid( "1.2.840.113554.1.2.2"); // Accept the context and return the client principal name. return Subject.doAs( subject, new PrivilegedAction<String>() { public String run() { try { // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext( (GSSCredential) null); context.acceptSecContext( serviceTicket, 0, serviceTicket.length); return context.getSrcName().toString(); } catch ( Exception e) { e.printStackTrace(); return null; } } }); }
private void initiateSecurityContext( String servicePrincipalName) throws GSSException { GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE); final GSSContext context = manager.createContext( serverName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME); // The GSS context initiation has to be performed as a privileged action. this.serviceTicket = Subject.doAs( subject, new PrivilegedAction<byte[]>() { public byte[] run() { try { byte[] token = new byte[0]; // This is a one pass context initialisation. context.requestMutualAuth( false); context.requestCredDeleg( false); return context.initSecContext( token, 0, token.length); } catch ( GSSException e) { e.printStackTrace(); return null; } } }); }
GSSContext initGSS() throws Exception { final GSSManager MANAGER = GSSManager.getInstance(); final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws GSSException { return MANAGER.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KrbConstants.SPNEGO, GSSCredential.INITIATE_ONLY); } }; final GSSCredential clientcreds = Subject.doAs(initiatorSubject, action); final GSSContext context = MANAGER.createContext(MANAGER.createName(acceptorPrincipal, GSSName.NT_USER_NAME, KrbConstants.SPNEGO), KrbConstants.SPNEGO, clientcreds, GSSContext.DEFAULT_LIFETIME); //TODO make configurable context.requestMutualAuth(true); context.requestConf(true); context.requestInteg(true); context.requestReplayDet(true); context.requestSequenceDet(true); context.requestCredDeleg(false); return context; }